Headphone maker Sennheiser is facing the music after being caught compromising the security of its customers.
The vendor's Headsetup and Headsetup Pro applications install both a root certificate and its secret private key on Windows and Mac computers, which can be used, for instance, by scumbags to intercept and decrypt users …

To be fair Sennheiser make some genuinely decent kit, it isn't bling and flash for the sake of it. Look at their product range and the kind of accessories you cite are conspicuous by their absence, they're not the same as e.g. Beats, charging a premium for stuff that is at best mid-range.

Yes, a lot of the premium priced brands are simply marketing with nothing of substance to back it up, but genuine high-end audio gear commands a fair price too. You need to distinguish between the two.

Re: Why did Sennheiser [..] do this nonsense?

My question exactly. I've had radio headphones plugged into the TV for years, they didn't need no stinkin' app to work.

My current headphones are a not-too-pricey Sony model that work fine and plug in like every other kind I've ever had. I fail to see what is the point in having an app at all. You have an app for the sound card (or chip these days), that is where the tweaking should take place.

But headphones are for listening to the output, not for fiddling with it.

Sennheiser does other stuff too

The question is whether they have done this trick with other kit too - Sennheiaer not only makes consumer products, but also professional kit such as near-ubiquitous radio microphones and medical kit such as hearing aids used by large numbers of NHS and private clinjcs. These days everything is set up by computer so if they have used a similar technique on the software, there could be hundreds of vulnerable computers sitting in clinics (ane TV studios) around the country.

Re: Sennheiser does other stuff too

Re: Sennheiser does other stuff too

But those other things don't need a HTTP proxy to work. The software in question was to link scripts on arbitrary websites to the local hardware and is only required because the browsers are reluctant to do cross-domain stuff like that.

Radio mics don't tend to transmit over HTTP.

Not saying that they haven't bundled the crap with other installers, or made similar SNAFUs, just saying that this particular cockup is unlikely to affect other devices.

Re: Sennheiser does other stuff too

The fix is just as bad

Now the software relies on a key that only Sennheiser privately keeps a copy of.

So they've just appointed themselves as a root CA. Wait until that key leaks and...

What would be better in this case would be to generate a unique key on install. If it's only to authenticate 'localhost' then no-one else needs access to that key or to trust it. Plus if an attacker manages to steal a key off someone's installation, it will affect .. no-one else. If they have access to be stealing private keys, your system is already hosed without Sennheiser's help.

Re: Sennheiser

I was happy paying $$$ for a Sennheiser HD280PRO without any damn internet connection at all - and everyone who listens with them just sits there stunned because they have never heard sounds that realistic, or that clear.

Other than amazing sound quality, the best thing about (some) Sennheisers is that you can replace any part when it fails. After years of having to throw away great headphones from other manufacturers because of a mysteriously located cable break, or sonically obliterated driver, broken headband, lost and inexplicable tiny plastic part etc... I got some HD600s and haven't looked back.

Gold plated tat ... and star employees

A two part story about some great employees...

Part 1:

An engineer working for me was in a Best Buy (for right pondians, think of an ironically named version of Currys). In this Best Buy he observed a salesman foisting gold-plated HDMI cables on an unsuspecting elderly lady, "Ma'am, you see, the gold plating prevents the audio from having hiss and crackle..." As this was a bridge too far, he engaged the salesman and saved her a load of cash. Actually, after his analog/digital explanation she was so pissed she abandoned her multi-thousand dollar TV order. Our hero got ejected from the store, told he would be arrested (for what?) if he ever re-entered, and called some things I'm not going to repeat here.

Part 2:

He never re-entered. But morale around the office suddenly became extremely high. It turns out that somebody bought some TV-B-Gones (https://www.tvbgone.com/) and clandestinely installed in the store so that the TVs on display would turn off. My people set up a seemingly random succession of "customers" who would rotate out the TV B Gones as they ran out of batteries. Hard to sell overpriced crap when it keeps shutting off, and your employees are running around with their hair ablaze.

I'm proud of these people but a little upset I wasn't invited to participate.

Certificate pinning won't help

Certificate pinning won't help with this at all. At least with Chrome, certificate pinning accepts any certificate signed by a locally installed root cert (as opposed to one which is distributed with the operating system). This is so that businesses who use a TLS decryption/encryption device to scan all outgoing TLS can continue to do so.

(I suspect the commentards here will have definite views on the desirability of such devices, but I can see why Chrome would decide not to fight that battle.)